Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ambient: fix auto-allow waypoint #50710

Merged
merged 2 commits into from Apr 29, 2024
Merged

ambient: fix auto-allow waypoint #50710

merged 2 commits into from Apr 29, 2024

Conversation

stevenctl
Copy link
Contributor

Taking over #50617

@howardjohn
ambient: fix auto-allow waypoint
815149b 
Probably we need to increase our test coverage here
@stevenctl stevenctl requested review from a team as code owners April 26, 2024 20:45
@stevenctl stevenctl added the release-notes-none Indicates a PR that does not require release notes. label Apr 26, 2024
@istio-testing istio-testing added the size/M Denotes a PR that changes 30-99 lines, ignoring generated files. label Apr 26, 2024
@stevenctl stevenctl force-pushed the fix-auto-allow branch 2 times, most recently from 47740eb to 3df654d Compare April 26, 2024 22:44
@istio-testing istio-testing added size/L Denotes a PR that changes 100-499 lines, ignoring generated files. and removed size/M Denotes a PR that changes 30-99 lines, ignoring generated files. labels Apr 26, 2024
@stevenctl stevenctl force-pushed the fix-auto-allow branch 2 times, most recently from 2807dc2 to 5151551 Compare April 29, 2024 16:18
keithmattix
keithmattix reviewed Apr 29, 2024
View reviewed changes
pilot/pkg/serviceregistry/kube/controller/ambient/policies.go
@@ -124,7 +126,7 @@ func implicitWaypointPolicy(ctx krt.HandlerContext, waypoint Waypoint) *model.Wo
{
Principals: slices.Map(waypoint.ServiceAccounts, func(sa string) *security.StringMatch {
return &security.StringMatch{MatchType: &security.StringMatch_Exact{
Exact: spiffe.MustGenSpiffeURI(waypoint.Namespace, sa),
Exact: strings.TrimPrefix(spiffe.MustGenSpiffeURI(waypoint.Namespace, sa), spiffe.URIPrefix),
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Do the SANs not have a spiffe:// prefix? Do SPIRE generated SANs have a spiffe prefix?

Copy link
Contributor

@bleggett bleggett Apr 29, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Also, can't we just use StringMatch_Prefix directly here, rather than trimming the prefix?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more. 

        // Istio matches all assumes spiffe:// prefix. This includes prefix matches.
        // A prefix match for "*foo" means "spiffe://*foo".
        // So we strip it, and fail if it isn't present.
        let Some(check) = check.strip_prefix("spiffe://") else {
            return false;
        };

This is what zTunnel does

Copy link
Contributor

@bleggett bleggett Apr 29, 2024
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Istio matches all assumes spiffe:// prefix. This includes prefix matches.

why do we assume that, I wonder. It's not simpler than just matching on spiffe://ns/sa prefixes consistently everywhere, since, as @keithmattix pointed out, the spiffe:// prefix is non-optional.

Oh well.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Property of the AuthorizationPolicy API fwiw, not a recent decision in ztunnel

@stevenctl stevenctl added the cherrypick/release-1.22 Set this label on a PR to auto-merge it to the release-1.22 branch label Apr 29, 2024
@istio-testing istio-testing merged commit 48516ef into istio:master Apr 29, 2024
28 checks passed
@istio-testing
Copy link
Collaborator

In response to a cherrypick label: new pull request created: #50752

@istio-testing istio-testing mentioned this pull request Apr 29, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bleggett bleggett bleggett left review comments

@keithmattix keithmattix keithmattix left review comments

@howardjohn howardjohn howardjohn approved these changes

Assignees
No one assigned
Labels
cherrypick/release-1.22 Set this label on a PR to auto-merge it to the release-1.22 branch release-notes-none Indicates a PR that does not require release notes. size/L Denotes a PR that changes 100-499 lines, ignoring generated files.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
5 participants
@stevenctl @istio-testing @howardjohn @bleggett @keithmattix